diff --git a/teleport-18.yaml b/teleport-18.yaml
index 956b2b90a97..e0afaf7d3d5 100644
--- a/teleport-18.yaml
+++ b/teleport-18.yaml
@@ -1,7 +1,7 @@
 package:
   name: teleport-18
   version: "18.6.0"
-  epoch: 0 # GHSA-g754-hx8w-x2g6
+  epoch: 1 # GHSA-g754-hx8w-x2g6
   description: The easiest, and most secure way to access and protect all of your infrastructure.
   copyright:
     - license: AGPL-3.0-only
@@ -90,6 +90,67 @@ pipeline:
 
   - uses: strip
 
+subpackages:
+  - name: ${{package.name}}-kube-agent-updater
+    description: Kubernetes agent updater for Teleport
+    dependencies:
+      provides:
+        - teleport-kube-agent-updater=${{package.full-version}}
+    pipeline:
+      - uses: go/build
+        with:
+          packages: ./integrations/kube-agent-updater/cmd/teleport-kube-agent-updater
+          output: teleport-kube-agent-updater
+    test:
+      environment:
+        contents:
+          packages:
+            - curl
+        environment:
+          METRICS_PORT: "8080"
+          HEALTHZ_PORT: "8081"
+          KUBERNETES_SERVICE_HOST: "127.0.0.1"
+          KUBERNETES_SERVICE_PORT: "32764"
+      pipeline:
+        - uses: test/tw/help-check
+          with:
+            bins: teleport-kube-agent-updater
+        - uses: test/kwok/cluster
+        - uses: test/daemon-check-output
+          with:
+            start: |
+              teleport-kube-agent-updater \
+                --agent-name=test-agent \
+                --agent-namespace=default \
+                --metrics-addr=:${METRICS_PORT} \
+                --healthz-addr=:${HEALTHZ_PORT} \
+                --disable-leader-election \
+                --insecure-no-verify-image \
+                --insecure-no-resolve-image
+            timeout: 30
+            expected_output: |
+              Starting Controller
+            post: |-
+              set -o pipefail
+              curl -sf http://localhost:${HEALTHZ_PORT}/healthz | grep -F "ping"
+              curl -sf http://localhost:${HEALTHZ_PORT}/readyz | grep -F "ping"
+              curl -sf http://localhost:${METRICS_PORT}/metrics | grep -F "go_info"
+
+  - name: ${{package.name}}-kube-agent-updater-compat
+    description: Compatibility package for teleport-kube-agent-updater
+    dependencies:
+      runtime:
+        - ${{package.name}}-kube-agent-updater
+      provides:
+        - teleport-kube-agent-updater-compat=${{package.full-version}}
+    pipeline:
+      - runs: |
+          mkdir -p "${{targets.contextdir}}/"
+          ln -sf ./usr/bin/teleport-kube-agent-updater "${{targets.contextdir}}/teleport-kube-agent-updater"
+    test:
+      pipeline:
+        - uses: test/tw/symlink-check
+
 update:
   enabled: true
   ignore-regex-patterns:
@@ -100,6 +161,7 @@ update:
     - ".*gus.*"
     - ".*wasm.*"
     - ".*fred.*"
+    - ".*ldapbind.*"
   git:
     strip-prefix: v
     tag-filter-prefix: v18.